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Abstract 

We propose a framework for analyzing classical sampling strategies for estimating the Hamming 
weight of a large string from a few sample positions, when applied to a multi-qubit quantum system 
instead. The framework shows how to interpret the result of such a strategy and how to define its 
accuracy when applied to a quantum system. Furthermore, we show how the accuracy of any strategy 
relates to its accuracy in its classical usage, which is well understood for the important examples. 

We show the usefulness of our framework by using it to obtain new and simple security proofs for 
the following quantum-cryptographic schemes: quantum oblivious-transfer from bit-commitment, 
and BB84 quantum-key-distribution. 

Keywords: Random sampling, quantum key distribution, quantum oblivious transfer. 

1 Introduction 

Sampling allows to learn some information on a large population by merely looking at a comparably 
small number of individuals. For instance it is possible to predict the outcome of an election with very 
good accuracy by analyzing a relatively small subset of all the votes. In this work, we initiate the study 
of sampling in a quantum population, where we want to be able to learn information on a large quantum 
state by measuring only a small part. Specifically, we investigate the quantum-version of the following 
classical sampling problem (and of variants thereof). Given a bit-string q = (q±, . . . , q n ) S {0, 1}™ of 
length n, the task is to estimate the Hamming weight of q by sampling and looking at only a few positions 
within q. This classical sampling problem is well understood. For instance the following particular sam- 
pling strategy works well: sample (with or without replacement) a linear number of positions uniformly 
at random, and compute an estimate for the Hamming weight of q by scaling the Hamming weight of the 
sample accordingly; Hoeff ding's bounds guarantee that the estimate is close to the real Hamming weight 
except with small probability. Such a sampling strategy in particular allows to test whether q is close to 
the all-zero string (0, . . . , 0) by looking only at a relatively small number of positions, where the test is 
accepted if and only if all the sample positions are zero, i.e., the estimated Hamming weight vanishes. 

In the quantum version of the above sampling problem, the string q is replaced by a n-qubit quantum 
system A. It is obvious that a sampling strategy from the classical can be applied to the quantum setting 
as well: pick a sample of qubit positions within A, measure (in the computational basis) these sample 
positions, and compute the estimate as dictated by the sampling strategy from the observed values (i.e., 
typically, scale the Hamming weight of the measured sample appropriately). However, what is a-priori 
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not clear, is how to formally interpret the computed estimate. In the special case of testing closeness 
to the all-zero string, one expects that if the measurement of a random sample only produces zeros then 
the initial state of A must have been close to the all-zero state |0) • • • |0). But what is the right way to 
measure closeness here? For instance it must allow for states of the form \q) where q £ {0, l} n has small 
Hamming weight, but it must also allow for superpositions with arbitrary states that come with a very 
small amplitude. In the general case of a sampling strategy that, in its classical usage, aims at estimating 
the Hamming weight (rather that at testing closeness to the all-zero string), it is not even clear what the 
estimate actually estimates when the sampling strategy is applied to a n-qubit quantum system, since 
we cannot speak of the Hamming weight of a quantum state. Furthermore, how can we quantify in a 
meaningful way how accurate a sampling strategy is, and how hard is it to compute (good bounds on) the 
accuracy of different sampling strategies, when applied to a quantum population? Finally, a last subtlety 
that is inherent to the quantum setting is that the execution of a sampling strategy actually changes the 
state of A due to the measurements. 

In this work, we present a framework that answers the above questions and allows us to fully under- 
stand how a classical sampling strategy behaves when applied to a quantum population, i.e., to a n-qubit 
system or, more general, to n copies of an arbitrary "atomic" system. Our framework incorporates the 
following. First, we specify an abstract property on the state of A (after the measurements done by the 
sampling strategy), with the intended meaning that this is the property one should conclude from the 
outcome of the sampling strategy when applied to A. We also demonstrate that this property has use- 
ful consequences: specifically, that a suitable measurement will lead to a high-entropy outcome; this is 
handy in particular for quantum-cryptographic purposes. Then, we define a meaningful measure, sort of 
a "quantum error probability" (although technically speaking it is not a probability), that tells how reli- 
able it is to conclude the specified property from the outcome of the sampling strategy. Finally, we show 
that for any sampling strategy, the quantum error probability of the strategy, as we define it, is bounded 
by the square-root of its classical error probability. This means that in order to understand how well a 
sampling strategy performs in the quantum setting, it suffices to analyze it in the classical setting, which 
is typically much simpler. Furthermore, for typical sampling strategies, like when picking the sample 
uniformly at random, there are well-known good bounds on the classical error probability. 

We demonstrate the usefulness of our framework by means of two applications. Our applications do 
not constitute actual new results, but they provide new and simple(r) proofs for known results, both in 
the area of quantum cryptography. We take this as strong indication for the usefulness of the framework, 
and that the framework is likely to prove valuable in other applications as well. 

The first application is to quantum oblivious transfer (QOT). It is well known that QOT is not pos- 
sible from scratch; however, one can build a secure QOT scheme when given a bit-commitment (BC) 
primitive "for free"|l] Like QOT, also QBC is impossible from scratch; nevertheless, the implication from 
BC to QOT is interesting from a theoretical point of view, since the corresponding implication does not 
hold in the classical setting. The existence of a QOT scheme based on a BC was suggested by Bennett et 
al. in 1991 MBBCS921 1^1 however, no security proof was provided. Mayers and Sal vail proved security of 
the QOT scheme against a restricted adversary that only performs individual measurements IMS941I . and 
finally, in 1995, Yao gave a security proof against a general adversary, which is allowed to do fully coher- 
ent measurements BYao951 . However, from today's perspective, Yao's proof is still not fully satisfactory: 

1 We use BC and OT as short-hands of the respective abstract primitives, bit commitment and oblivious transfer, and we 
write QBC and QOT for potential schemes implementing the respective primitives in the quantum setting. 

2 At that time, QBC was thought to be possible, and thus the QOT scheme was claimed to be implementable from scratch. 
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it is very technical, without intuition and hard to follow, and it measures the adversary's information in 
terms of "accessible information", which has proven to be a too weak information measure. 

Here, we show how our framework for analyzing sampling strategies in the quantum setting leads to a 
conceptually very simple and easy-to-understand security proof for QOT from BC. The proof essentially 
works as follows: When considering a purified version of the QOT scheme, the commit-and-open phase 
of the QOT scheme can be viewed as executing a specific sampling strategy. From the framework, it 
then follows that some crucial piece of information has high entropy from the adversary's point of view. 
The proof is then concluded by applying the privacy amplification theorem. In recent work of the second 
author jDFL + 09l , it is shown that the same kind of analysis is not restricted to QOT but actually applies 
to a large class of two-party quantum-cryptographic schemes which are based on a commit-and-open 
phase. 

The second application we discuss is to quantum key-distribution (QKD). Also here, our framework 
allows for a simple and easy-to-understand security proof, namely for the BB84 QKD schemeU Similar 
to our proof for QOT, we can view the checking phase of the BB84 scheme as executing a specific 
sampling strategy (although here some additional non-trivial observation needs to be made). From the 
framework, we can then conclude that the raw key has high entropy from the adversary's point of view, 
and again privacy amplification finishes the job. 

As for QOT, also QKD schemes initially came without security proofs, and proving QKD schemes 
rigorously secure turned out to be an extremely challenging and subtle task. Nowadays, though, the 
security of QKD schemes is better understood, and we know of various ways of proving, say, BB84 
secure, ranging from Shor and Preskill's proof based on quantum error-correcting codes to Renner's 
approach using a quantum De Finetti theorem which allows to reduce security against general attacks 
to security against the much weaker class of so-called collective attacks. As such, our proof may safely 
be viewed as "yet another BB84 QKD proof". Nevertheless, when compared to other proofs, it has 
some nice features: It provides an explicit and easy-to-compute expression for the security of the scheme 
(in contrast to most proofs in the literature which merely provide an asymptotic analysis), it does not 
require any "symmetrization of the qubits" (e.g. by applying a random permutation) from the protocol, 
and it is technically not very involved (e.g. compared to the proofs involving Renner's quantum De 
Finetti theorem). Furthermore, it gives immediately a direct security proof, rather than a reduction to the 
security against collective attacks. 



2 Notation, Terminology, and Some Tools 

Strings and Hamming Weight. Throughout the paper, A denotes some fixed finite alphabet with 
€ A. It is safe to think of A as {0, 1}, but our claims also hold for larger alphabets. For a string 
q = (qi, . . . , q n ) S A n of arbitrary length n > 0, the Hamming weight of q is defined as the number of 
non-zero entries in q: wt(q) := \{i £E [n] : qi ^ 0} , where we use [n] as short hand for {1, . . . , n}. We 
also use the notion of the relative Hamming weight of q, defined as oj(q) := wt(q)/n. By convention, 
the relative Hamming weight of the empty string _L is set to cj(_L) := 0. For a string q = (q± , . . . , q n ) 6 A n 
and a subset J C [n], we write qj := {qi)i^j for the restriction of q to the positions i € J. 

3 Actually, we prove security for an entanglement-based version of BB84, which was first proposed by Ekert, and which 
implies security for the original BB84 scheme. 



3 



Random Variables and Hoeffding's Inequalities. Formally, a random variable is a function X : 
— > X with the sample space O of a probability space (Q,Pr) as domain, and some arbitrary finite 
set X as range. The distribution of X, which we denote as Px, is given by Px{x) = Vi[X = x] = 
Pr[{w G Q : X(uj) = x}]. The joint distribution of two (or more) random variables X and Y is denoted 
by Pxy, i-£-> Pxy(x, y) = Pr[X = x A Y =y\. Usually, we leave the probability space (Q, Pr) implicit, 
and understand random variables to be defined by their joint distribution, or by some "experiment" that 
uniquely determines their joint distribution. Random variables X and Y are independent if Pxy = 
P x Py (in the sense that P X y{x, y) = P x {x)P Y {y) V x £ X,y e y>). 

We will make extensive use of Hoeffding's inequalities for random sampling with and without re- 
placement, as developed in MHoe631 . The following theorem summarizes these inequalities, tailored to 
our needso 

Theorem 1 (Hoeffding). Let b G {0, l} n be a bit string with relative Hamming weight \i = u(b). Let the 
random variables X\ , X2 , . . . , X^ be obtained by sampling k random entries from b with replacement, 
i.e., the Xi's are independent and Px i (l) = p. Furthermore, let the random variables Y\,Yi, ... ,Yj. be 
obtained by sampling k random entries from b without replacement. Then, for any 5 > 0, the random 
variables X := \ ^ Xi and Y := \ Yli Yi satisfy 

Pr[|y - fj,\ >S]< Pt[\X -ii\>6]< 2exp(-25 2 k) . 

For the case of sampling without replacement, a slightly sharper bound was found by Serfling HSer74\l : 

Pr[|y- M |>«y] <2exp(-^). 

Quantum Systems and States. We assume the reader to be familiar with the basic concepts of quan- 
tum information theory; we merely fix some terminology and notation here. A quantum system A is 
associated with a complex Hilbert space, % = C d , its state space. The state of A is given, in the case 
of a pure state, by a norm-1 state vector \tp) G %, respectively, in the case of a mixed state, by a trace-1 
positive-semi-definite operator/matrix p : Ti —> H. In order to simplify language, we are sometimes a 
bit sloppy in distinguishing between a quantum system, its state, and the state vector or density matrix 
describing the state. By default, we write Ha for the state space of system A, and pa (respectively \^pa) 
in case of a pure state) for the state of A. 

The state space of a bipartite quantum system AB, consisting of two (or more) subsystems, is given 
by T~Lab = 7~La ®7-Lb- If the state of AB is given by pab then the state of subsystem A, when treated 
as a stand-alone system, is given by the partial trace pa = ^b(pab), and correspondingly for B. 
Measuring a system A in basis {|z)}j 6 j, where {\i)}i & j is an orthonormal basis of Ha, means applying 
the measurement described by the projectors such that outcome i G / is observed with 

probability pi = tr(\i)(i\pA) (respectively pi = \ (i\ipA) | 2 i n case °f a P ure state). If A is a subsystem of a 
bipartite system AB, then it means applying the measurement described by the projectors {|i)(^|®Is}j6/, 
where Ig is the identity operator onHs- 

A qubit is a quantum system A with state space Ha = C 2 . The computational basis {|0), |1)} (for 
a qubit) is given by |0) = Q and |1) = (°), and the Hadamard basis by H{\0), |1)} = {H\0}, H\l}}, 
where H denotes the 2-dimensional Hadamard matrix H = ( \ _\ ) . The state space of an re-qubit 

interestingly, the inequality with respect to random sampling without replacement does not seem to be very commonly 
known. 



4 



system A = A 1 --- A n is given by % A = (C 2 ) ™ = C 2 ® ■ ■ ■ <g> C 2 . For a; = (x±, . . . , x n ) and 
9 = (0i, ... , 0„) in {0, 1}™, we write \x) for \x) = \xi) ■ ■ ■ \x n ) and H e for H e = H 9l (g> • • • ® H 9 " , and 
thus F |a:> for fl" e |sc) = H^lxx) • • • H 6n \x n ). Finally, we write {|0>, |l)}® n = {\x) : x G {0, l} n } 
for the computational basis on an n- qubit system, and H B {\0), \l)}® n = {H°\x) : x G {0,l} n } = 
H 6l {\0), |1)} (g) ■ ■ ■ ® iJ 9n {|0), |1)} for the basis that is made up of the computational basis on the 
subsystems A4 with 0j = and of the Hadamard basis on the subsystems Ai with 6i = 1. In order to 
simplify notation, we will sometimes abuse terminology and speak of the basis 6 when we actually mean 
tf e {|0),|l)}® n . 

We measure closeness of two states p and a by their trace distance: A(p, <r) := |tr|p — a\, where 
for any square matrix M, \M\ denotes the positive-semi-definite square-root of M^M. For pure states 
\ip) and \ip), the trace distance of the corresponding density matrices coincides with A(\ip)(ip\, \ip)(ip\) = 
y/l — |((^|^)| 2 . If the states of two systems A and B are e-close, i.e. A(pa,Pb) < e> then yl and B 
cannot be distinguished with advantage greater than e; in other words, A behaves exactly like B, except 
with probability e. 

Classical and Hybrid Systems (and States). Subsystem X of a bipartite quantum system XE is 
called classical, if the state of XE is given by a density matrix of the form 



where X is a finite set of cardinality \X\ = dim(%x)> Px : X —> [0, 1] is a probability distribution, 
{|a;)} a:6 ;t is some fixed orthonormal basis of T~Lx, and p x E is a density matrix on He for every x € X . 
Such a state, called hybrid or eg- (for classical-quantum) state, can equivalently be understood as consist- 
ing of a random variable X with distribution Px, taking on values in X, and a system E that is in state 
p x E exactly when X takes on the value x. This formalism naturally extends to two (or more) classical 
systems X, Y etc. 

If the state of XE satisfies pxE = Px ® Pe, where px = ^e{pxe) = Px(x)\x)(x\ and 
Pe = t?x{pxE) = ^2 x Px(x)Pe' tnen X i s independent of E, and thus no information on X can 
be obtained from system E. Moreover, if pxE = ® p.e, where Kx denotes the identity on %x, 

then X is random-and-independent of -E. This is what is aimed for in quantum cryptography, when X 
represents a classical cryptographic key and E the adversary's potential quantum information on X. 

It is not too hard to see that for two hybrid states pxE and pxE' with the same (distribution of) X, 
the trace distance between pxE and pxE' can be computed as A(pxE, Pxe 1 ) = J2 X Px{x)A{p x E ,p E ,). 

Min-Entropy and Privacy Amplification. We make use of Rentier's notion of the conditional min- 
entropy H m i n (pxE I E) of a system X conditioned on another system E MRen05l . Although the notion 
makes sense for arbitrary states, we restrict to hybrid states pxE with classical X. If the hybrid state pxE 
is clear from the context, we may write H m - m (X\E) instead of Hmin (pxF,\E). The formal definition, 
given by H m ; n (pxe\E) '■= su Va E max{/i £ R : 2~ h ■ Ix <8> oe — Pxe > 0} where the supremum 
is over all density matrices ge on %e, is not very relevant to us; we merely rely on some elementary 
properties. For instance, the chain rule guarantees that H m - m (X\YE) > H m ; n (Xy|£') — log(|3^|) > 
H m in {X\E)— log(|3^|) for classical X and Y with respective ranges X and y, where here and throughout 
the article log denotes the binary logarithm, whereas In denotes the natural logarithm. Furthermore, it 
holds that if E' is obtained from E by measuring (part of) E, then H min (X\E r ) > H min (X\E). 
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Finally, we make use of Renner's privacy amplification theorem IIRK051 lRen05l . as given below. 
Recall that a function g : 1Z x X — )• {0, 1}^ is called a universal (hash) function, if for the random 
variable R, uniformly distributed over 1Z, and for any distinct x, y € X: Pr[g(R, x)=g(R, y)] < 2~ e . 

Theorem 2 (Privacy amplification). Let pxE^^a hybrid state with classical X. Let g : TZxX ^ {0, 1} £ 
be a universal hash function, and let R be uniformly distributed over 1Z, independent of X and E. Then 
K = g(R,X) satisfies 



Informally, Theorem [2] states that if X contains sufficiently more than I bits of entropy when given E, 
then i nearly random-and-independent bits can be extracted from X. 

3 Sampling in a Classical Population 

As a warm-up, and in order to study some useful examples and introduce some convenient notation, we 
start with the classical sampling problem, which is rather well-understood. 

3.1 Sampling Strategies 

Let q = (qi, . . . , q n ) E A n be a string of given length n. We consider the problem of estimating the 
relative Hamming weight ui(q) by only looking at a substring q t of q, for a small subset t C [n]Jl 
Actually, we are interested in the equivalent problem of estimating the relative Hamming weight uj{qi) 
of the remaining string q^, where i is the complement i = [n] \ t of t@ A canonical way to do so 
would be to sample a uniformly random subset (say, of a certain small size) of positions, and compute 
the relative Hamming weight of the sample as estimate. Very generally, we allow any strategy that picks 
a subset t C [n] according to some probability distribution and computes the estimate for w(<jrj) as some 
(possibly randomized) function of t and q t , i.e., as f(t, q t , s) for a seed s that is sampled according to 
some probability distribution. This motivates the following formal definition. 

Definition 1 (Sampling strategy). A sampling strategy ^ consists of a triple (Pr,Ps, f), where Pt is 
a distribution over the subsets of [n], Ps is a (independent) distribution over a finite set S, and f is a 
function 



We stress that a sampling strategy as defined here, specifies how to choose the sample subset as well 
as how to compute the estimate from the sample (thus a more appropriate but lengthy name would be a 
"sample-and-estimate strategy"). 

Remark 1. By definition, the choice of the seed s is specified to be independent of t, i.e., Pts = 
PtPs- Sometimes, however, it is convenient to allow s to depend on t. We can actually do so without 

5 More generally, we may consider the problem of estimating the Hamming distance of q to some arbitrary reference string 
q ; but this can obviously be done simply by estimating the Hamming weight of q' = q — q a . 

6 The reason for this, as will become clear later, is that in our applications, the sampled positions within q will be discarded, 
and thus we will be interested merely in the remaining positions. 




f:{{t,v) :tC [n],v£A ltl } x5->R. 
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contradicting Definition \J\ Namely, to comply with the independence requirement, we would simply 
choose a (typically huge) "container" seed that contains a seed for every possible choice oft, each one 
chosen with the corresponding distribution, and it is then part of f's task, when given t, to select the seed 
that is actually needed out of the container seed^\ 

A sampling strategy ^ can obviously also be used to test if q (or actually q^) is close to the all-zero string 
• • • 0: compute the estimate for u(qj) as dictated by ^, and accept if the estimate vanishes and else 
reject. 

We briefly discuss five example sampling strategies. The examples should illustrate the generality of 
the definition, and some of the examples will be used later on; however, the reader is free to skip (some 
of) them. We start with the canonical example mentioned in the beginning. 

Example 1 (Random sampling without replacement). 

In random sampling without replacement, k distinct indices i\, . . . , within [n] are chosen uniformly at 
random, where k is some parameter, and the relative Hamming weight of Of/^,. is used as estimate 
for w(qrj). Formally, this sampling strategy is given by ^ = (Pr, Ps, f) where Prit) = 1/ Cl) if \t\ = k 
and else P T (t) = 0, S = {_L} and thus P s (±) = 1, and f{t, q t , _L) = f(t, q t ) = uj{q t ). o 

With the second example, we show that also sampling with replacement is captured by our definition. 

Example 2 (Random sampling with replacement). 

In random sampling with replacement, k indices i\, . . . , if. are chosen independently uniformly at ran- 
dom within [n], where k is some parameter, and the relative Hamming weight of the string (q^ , . . . , qt k ) 
is used as estimate for to(q^). Note that here may coincide with igi for t / £', in which case 
. . . ,qi k ) is not equal to Qu lt ,„ t i k }- To make this fit into Definition [TJ we set t to be {i±, . . . ,ik}, 
and we let f(t, q t , s) be given by uj(qj 1 , . . . , qj k ), where ji, . . . , is determined by the seed s among 
all possibilities with {ji, . . . , j^} = t. It is cumbersome and of no importance to us to determine the 
correct distributions Pt and Ps for t and s, respectively; it is sufficient to realize that random sampling 
with replacement is captured by Definition [TJ o 

Next, we sample by picking a uniformly random subset (without restricting its size). 

Example 3 (Uniformly random subset sampling). 

The sample set t is chosen as a uniformly random subset of [n], and the estimate is computed as the 
relative Hamming weight of the sample q t . Formally, Pr(t) = 1/2™ for any t C [n], and S = {_!_} and 

/(*, Qt, -L) = /(*) Qt) = u (lt)- o 

As a fourth example, we consider a somewhat unnatural and in some sense non-optimal sampling strat- 
egy. This example, though, will be of use in our analysis of quantum oblivious transfer in Section [5] 

Example 4 (Random sampling without replacement, using only part of the sample). 
This example can be viewed as a composition of Example [TJ and [3] Namely, t is chosen as a random 
subset of fixed size k, as in ExampleQ] so that Pr(t) = 1/ (Z) for t C [n] with \t\ = k. But now, only 
part of the sample q t is used to compute the estimate. Namely, the estimate is computed as 

f(t,Qt> s ) = u(q s ). 

'Alternatively, we could simply drop the independence requirement in Definition [T] however, we feel it is conceptually 
easier to think of the seed as being independently chosen. 
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where the seed s is chosen as a uniformly random subset s of t; i.e., Ps(s) = 1/2* for any sCt. Recall 
from Remark Q] that the choice of s is allowed to depend on t. We would like to point out that when we 
use Example [4]in Section [51 it is useful that the restriction to the subset s is part of the evaluation of /, 
rather than part of the selection of the sample subset t. o 

In the fifth example we consider another somewhat unnatural sampling strategy, which though will be 
useful for the QKD proof in Section [6] 

Example 5 (Pairwise one-out-of-two sampling, using only part of the sample). 

For this example, it is convenient to consider the index set from which the subset t is chosen, to be of the 
form [n] x {0, 1}. Namely, we consider the string q G A 2n to be indexed by pairs of indices, q = (qij), 
where i G [n] and j G {0, 1}; in other words, we consider q to consist of n pairs (qio, qn). The subset 
t C [n] x { , 1 } is chosen as t = { (1 , j\ ),..., (n, j n ) } where every jk is picked independently at random 
in {0, 1}. In other words, t selects one element from each pair (q^, qn). Furthermore, the estimate for 
ui{qi) is computed from q t as f(t, q t , s) = oj(q s ) where the seed s is a random subset s C t of size k. o 

Example 6 (Pairwise biased one-out-of-two sampling, using only part of the sample). 
In this example we consider a similar situation as in Example |5J except that we now construct t by 
sampling every j& according to the Bernoulli distribution (p, 1 — p). Consequently, we compute the 
estimate for uj(q^) slightly differently, but we will make this clear in Appendix IA.6I o 

3.2 The Error Probability 

After having introduced the general notion of a sampling strategy, we next want to define a measure 
that captures for a given sampling strategy how well it performs, i.e., with what probability the estimate, 
f(t, q t , s), is how close to the real value, to(q^). For the definition, it will be convenient to introduce the 
following notation. For a given sampling strategy ^ = (Pt, Ps, /)> consider arbitrary but fixed choices 
for the subset t C [n] and the seed s G S with Pr(t) > and Ps(s) > 0. Furthermore, fix an arbitrary 
5 > 0. Define C A n as 

B S t , s m ■= {b€A n : K& f ) - f(t, bt, s)\<5}, 

i.e., as the set of all strings q for which the estimate is <5-close to the real value, assuming that subset t and 
seed s have been used. To simplify notation, if ^ is clear from the context, we simply write Bf s instead 
of Elf s (tS>). By replacing the specific values t and s by the corresponding (independent) random variables 
T and S, with distributions Pt and P$, respectively, we obtain the random variable B T s , whose range 
consists of subsets of A n . By means of this random variable, we now define the error probability of a 
sampling strategy as follows. 

Definition 2 (Error probability). The (classical) error probability of a sampling strategy ^ = (Pt, Ps, /) 
is defined as the following value, parametrized by < 5 < 1: 

q £ B S T ^)~ . 

By definition of the error probability, it is guaranteed that for any string q G A n , the estimated value is 
5-close to the real value except with probability at most efi ass (^')- When used as a sampling strategy to 



4assW == maxPr 
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test closeness to the all-zero string, ef lass ( x I / ) determines the probability of accepting even though is 
"not close" to the all-zero string, in the sense that its relative Hamming weight exceeds 5. Whenever 
is clear from the context, we will write efiass instead of e^assC^) - 

In Appendix lAl we analyze the error probabilities for the sampling strategies considered in Examples 
CD to El excluding Example |2l and we show them all to be exponentially small by applying Hoeffding's 
inequality in a suitable way. 

4 Sampling in a Quantum Population 

We now want to study the behavior of a sampling strategy when applied to a quantum population. More 
specifically, let A = Ai ■ ■ ■ A n be an n-partite quantum system, where the state space of each system Ai 
equals Ha^ = C d with d = \A\, and let {|a)} ae ^ be a fixed orthonormal basis of C d . We allow A to 
be entangled with some additional system E with arbitrary finite-dimensional state-space He- We may 
assume the joint state of AE to be pure, and as such be given by a state vector \<pae) £ Ha ®He\^ 
not, then it can be purified by increasing the dimension of He- 

Similar to the classical sampling problem of testing closeness to the all-zero string, we can consider 
here the problem of testing if the state of A is close to the all-zero reference state \^p A ) = |0) • • • |0) by 
looking at, which here means measuring, only a few of the subsystems of A. More generally, we will 
be interested in the sampling problem of estimating the "Hamming weight of the state of A", although it 
is not clear at the moment what this should mean. Actually, like in the classical case, we are interested 
in testing closeness to the all-zero state, respectively estimating the Hamming weight, of the remaining 
subsystems of A. 

It is obvious that a sampling strategy VP = (Pr, Ps, f) can be applied in a straightforward way to the 
setting at hand: sample t according to Pr, measure the subsystems Ai with i G t in basis {|a)} ae ^4 to 
observe q t G A^, and compute the estimate as f(t, q t , s) for s chosen according to P$ (respectively, for 
testing closeness to the all-zero state, accept or reject depending on the value of the estimate). However, 
it is a-priori not clear, how to interpret the outcome. Measuring a random subset of the subsystems of A 
and observing all the time indeed seems to suggest that the original state of A, and thus the remaining 
subsystems, must be in some sense close to the all-zero state; but what is the right way to formalize this? 
In the case of a general sampling strategy for estimating the (relative) Hamming weight, what does the 
estimate actually estimate? And, do all strategies that perform well in the classical setting also perform 
well in the quantum setting? 

We give in this section a rigorous analysis of sampling strategies when applied to a n-partite quan- 
tum system A. Our analysis completely answers above concerns. Later in the paper, we demonstrate 
the usefulness of our analysis of sampling strategies for studying and analyzing quantum-cryptographic 
schemes. 

4.1 Analyzing Sampling Strategies in the Quantum Setting 

We start by suggesting the property on the remaining subsystems of A that one should expect to be able 
to conclude from the outcome of a sampling strategy. A somewhat natural approach is as follows. 

Definition 3. For system AE, and similarly for any subsystem of A, we say that the state \<pae) of 
AE has relative Hamming weight j3 within A if it is of the form \<£ae) = \°)We) with b £ A n and 
u(b) = /3. 
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Now, given the outcome f(t, q t , s) of a sampling strategy when applied to A, we want to be able to 
conclude that, up to a small error, the state of the remaining subsystem A^E is a superposition of states 
with relative Hamming weight close to f(t, q tl s) within A$. To analyze this, we extend some of the 
notions introduced in the classical setting. Recall the definition of Bf s , consisting of all strings b £ A n 
with \oj(pi) — f(t,b t , s)\ < 5. By slightly abusing notation, we extend this notion to the quantum setting 
and write 

span(Bj 8 ) := span({|6) : b G Sjj) = span({|b> : \u(b { ) - f(t,b t ,s)\ < 5}) . 

Note that if the state \<pae) of AE happens to be in span(i^ s ) <g) He for some t and s, and if exactly 
these t and s are chosen when applying the sampling strategy to A, then with certainty the state of AfE 
(after the measurement) is in a superposition of states with relative Hamming weight 5-close to f(t, q t , s) 
within Ai, regardless of the measurement outcome q t . 

Next, we want to extend the notion of error probability (Definition [2]) to the quantum setting. The 
following approach turns out to be fruitful. We consider the hybrid system TSAE, consisting of the 
classical random variables T and S with distribution Pts = PtPs> describing the choices of t and s, 
respectively, and of the actual quantum systems A and E. The state of TSAE is given by 

Ptsae = ^2Prs(t,s)\t,s)(t,s\ <g> \<pae)(<Pae\ ■ 

Note that TS is independent of AE: ptsae = Pts ® Pae', indeed, in a sampling strategy t and s are 
chosen independently of the state of AE. We compare this real state of TSAE with an ideal state which 
is of the form 

Ptsae = p Ts(t, s)\t, s){t, s\ ® \<Pae){<Pae\ with \0ae) € span^Jj®?^ V t, s (1) 

t,s 

for some given 5 > 0. Thus, T and S have the same distribution as in the real state, but here we allow 
AE to depend on T and S, and for each particular choice t and s for T and 5, respectively, we require 
the state of AE to be in span {Bf s ) ®H E . Thus, in an "ideal world" where the state of the hybrid 
system TSAE is given by ptsae, it holds with certainty that the state IV^e) of AiE, after having 
measured A t and having observed q t , is in a superposition of states with relative Hamming weight 5- 
close to f3 := f(t,q t ,s) within Af. We now define the quantum error probability of a sampling strategy 
by looking at how far away the closest ideal state ptsae is from the real state ptsae- 

Definition 4 (Quantum error probability). The quantum error probability of a sampling strategy ^ = 
(Pt, -Psj /) is defined as the following value, parametrized by < 5 < 1: 

4uantW = max max min A(p T sAE, Ptsae) , 

He \<pae) Ptsae 

where the first max is over all finite-dimensional state spaces H e, the second max is over all state 
vectors \<£ae) G Ha ^He, and the min is over all ideal states ptsae as in <JTJ>-[HI 

8 It is not too hard to see, in particular after having gained some more insight via the proof of Theorem [3] below, that these 
min and max exist. 
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As with s and ef lass , we simply write £q Uant when ^ is clear from the context. We stress the mean- 
ingfulness of the definition: it guarantees that on average over the choice of t and s, the state of A^E 
is £q Uant -close to a superposition of states with Hamming weight <5-close to f(t, q t , s) within A^, and 
as such it behaves like a superposition of such states, except with probability e quant . We will argue be- 
low and demonstrate in the subsequent sections that being (close to) a superposition of states with given 
approximate (relative) Hamming weight has some useful consequences. 

Remark 2. Similarly to footnote \5\ also here the results of the section immediately generalize from the 
all-zero reference state |0) • • • |0) to an arbitrary reference state \ip°A) of the form \^P°a) =U\\Q) ® ■ ■ ■ ® 
U n \0) for unitary operators Ui acting on C d . Indeed, the generalization follows simply by a suitable 
change of basis, defined by the Ui 's. Or, in the special case where A = {0, 1} and 

\<p° A ) = H S \x) = H k \ Xl ) ® • • • ® H 8n \x n ) 

for a fixed reference basis 6 G {0, l} n and a fixed reference string x G {0, 1}™, we can, alternatively, 
replace in the definitions and results the computational by the Hadamard basis whenever 9i = 1, and 
speak of the (relative) Hamming distance to x rather than of the (relative) Hamming weight. 



4.2 The Quantum vs. the Classical Error Probability 

It remains to discuss how difficult it is to actually compute the quantum error probability for given 
sampling strategies, and how the quantum error probability e quant relates to the corresponding classical 
error probability e* lass . To this end, we show the following simple relationship between £q Uant and s S dass - 

Theorem 3. For any sampling strategy ^> and for any 5 > 0: 

As a consequence of this theorem, it suffices to analyze a sampling strategy in the classical setting, 
which is much easier, in order to understand how it behaves in the quantum setting. In particular, sam- 
pling strategies that are known to behave well in the classical setting, like examples [TJ to [5J are also 
automatically guaranteed to behave well in the quantum setting. We will use this in the application 
sections. 

Our bound on £q Uant is in general tight. Indeed, in Appendix O we show tightness for an explicit 
class of sampling strategies, which e.g. includes Example [TJ and Example [5] Here, we just mention the 
tightness result. 

Proposition 1. There exist natural sampling strategies for which the inequality in Theorem |3 is an 
equality. 

Proof of Theorem^. We need to show that for any \<£ae) £ T~La ®T~Le, with arbitrary He, there exists 
a suitable ideal state ptsae with A(p T sAE, Ptsae) < (^ciass) 1 ^ 2 - We construct ptsae as in ©, where 
the li^^'s are defined by the following decomposition. 

\<Pae) = (0ae\pae)\<Pae) + {'Pae\ ( Pae)\<Pae), 

with \<fr% s ) G span^J ®U E , \(p%) G span^)- 1 ®^ and \{^X E W ae)\ 2 + \(<P^e\<Pae)\ 2 = 1. 
In other words, I^Xe) i s obtained as the re-normalized projection of \<pae) mto s P arL (-^t,s) ®^E- Note 
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that \{(p t A s E \ ( fAE)\ 2 equals the probability Pr[Q £ Bfs}' where the random variable Q is obtained by 
measuring subsystem A of \<pae) in basis {|o)}®^4. Furthermore, 

£ Pts (t,s)\ (<f% \vae)\ 2 = Y. P Ts{t, s) Pr [Q £ B* a ] = Pv[Q£ B S T>S ] = £ P Q (q) Pr [q £ B^ s ) , 

t,s t,s q 

where by definition of efiass' tne l atter * s upper bounded by efiass- From elementary properties of the 
trace distance, and using Jensen's inequality, we can now conclude that 



^{ptsae, Ptsae) = ^2PTs(t,s)A(\ip AE }(ip AE \,\if t i E }(ip t i E \) = J2 p Ts(t,s)Jl- KftizltpAE 



t.s t.s 



= Y, p Ts{t,sWX^AE)\ < Y. P ^ s ^ae\vae)\ 2 < sje 5 class , 

t,s y t,s 

which was to be shown. □ 

As a side remark, we point out that the particular ideal state ptsae constructed in the proof mini- 
mizes the distance to ptsae > this follows from the so-called Hilbert projection theorem. 

4.3 Superpositions with a Small Number of Terms 

We give here some argument why being (close to) a superposition of states with a given approxi- 
mate Hamming weight may be a useful property in the analyses of quantum-cryptographic schemes. 
For simplicity, and since this will be the case in our applications, we now restrict to the binary case 
where A = {0, 1}. Our argument is based on the following lemma, which follows immediately from 
Lemma 3.1.13 in MRen051k for completeness, we give a direct proof of Lemma Q] in Appendix iBl Infor- 
mally, it states that measuring (part of) a superposition of a small number of orthogonal states produces 
a similar amount of uncertainty as when measuring the mixture of these orthogonal states. 

Lemma 1. Let A and E be arbitrary quantum systems, let and {|if)}«,ew be orthonormal bases 

of Ha, and let \(Pae) and p A n E be of the form 

\<PAe) = ^2a>i\i)\ip E ) eHa^'He and pf£ = ^ Wi\ 2 \i){i\ <g> \tp E )(tp E \ 
ieJ ieJ 

for some subset J C I, Furthermore, let pwE and p^ E describe the hybrid systems obtained by 
measuring subsystem A of\ip A E) and p m ^, respectively, in basis {\w)} W £\y to observe outcome W. 
Then, 

Hmin(pWE\E) > H min {p$e\E) - log \J\ . 

We apply Lemma Q] to an n-qubit system A where \<pae) lS a superposition of states with relative Ham- 
ming weight c) -close to (3 within A[ 



bg{0,l}" 
\u(b)-p\<8 



System A considered here corresponds to the subsystem Af in the previous section, after having measured At of the ideal 
state. 
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It is well known that \{b G {0, l} n : |w(6) - /3\ < S}\ < \{b G {0, l} n : w(b) < /3 + <5}| < 2 h ^ +5 ) n 
for /3 + 5 < \, where the function h : [0, 1] — > [0, 1] is the binary entropy function, defined as h(p) = 
— (plog(p) + (1 — p) log(l — p)) for < p < 1 and as for p = or l l 1( 1 

Since measuring qubits within a state \b) in the Hadamard basis produces uniformly random bits, we 
can conclude the following. 

Corollary 1. Let A be an n-qubit system, let the state \^>ae) of AE be a superposition of states with 
relative Hamming weight 5-close to (3 within A, where 5 + /3 < \, and let the random variable X be 
obtained by measuring A in basis H e {\0), |l)}® n for 6 G {0, l} n . Then 

H min (X\E)> wt(0) - h(/3 + 5)n . 

Consider now the following quantum-cryptographic setting. Bob prepares and hands over to Alice an 
n-qubit quantum system A, which ought to be in state \tp° A ) = |0) • • • |0). However, since Bob might 
be dishonest, the state of A could be anything, even entangled with some system E controlled by Bob. 
Our results now imply the following: Alice can apply a suitable sampling strategy to convince herself 
that the joint state of the remaining subsystem of A and of E is (close to) a superposition of states with 
bounded relative Hamming weight. From Corollary [T] we can then conclude that with respect to the min- 
entropy of the measurement outcome, the state of A behaves similarly to the case where Bob honestly 
prepares A to be in state \tp° A )- By Remark |2 i.e., by doing a suitable change of basis, the same holds 
if \(p° A ) = H e \x) for arbitrary fixed 6, x G {0, l} n , where wt(0) is replaced by the Hamming distance 
between 6 and 6. We will make use of this in the applications in the upcoming sections. 

5 Application I: Quantum Oblivious Transfer (QOT) 
5.1 The Bennett et al. QOT Scheme 

In a (one-out-of-two) oblivious transfer, OT for short, Alice sends two messages, mo, mi G {0, l} e to 
Bob. Bob may choose to receive one of the two message, m c . The security requirements demand that 
Bob learns no information on the other message, m\- c , while at the same time Alice remains ignorant 
about Bob's choice bit c. 

Back in 1992, Bennett et al. proposed a quantum scheme for OT, i.e., a QOT scheme MBBCS92II . 
The scheme makes use of a bit commitment (BC), which at that point in time was believed to be imple- 
mentable with unconditional security by a quantum scheme. Bennett et al. , however, merely claimed 
security of their scheme without providing any proof. In 1994, Mayers and Salvail proved the QOT 
scheme secure against a limited class of attacks HMS941 . and, subsequently, Yao presented a full security 
proof without limiting the adversary's capabilities MYao95ll . However, Yao's proof is lengthy and very 
technical, and thus hard to understand. Furthermore, security is phrased and proven in terms of accessi- 
ble information, of which we now know that it is a too weak information measure to guarantee security 
as required. 

Here we show how our sampling-strategy framework naturally leads to a new security proof for 
Bennett et al.'s QOT scheme. The new proof is simple and conceptually easy-to-understand, and security 
is expressed and proven by means of a security definition that is currently accepted to be "the right one". 

l0 There exists a corresponding upper bound for the cardinality of a g-ary Hamming ball (with arbitrary q), expressed in terms 
of the so-called g-ary entropy function; we do not elaborate on this here, since we now focus on the binary case. 
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Furthermore, it allows for an explicit bound on the imperfection of the scheme for any set of parameters 
(number of transmitted qubits, length of messages etc.), rather than merely providing an asymptotic 
security claim. Nowadays, we of course know that BC (as well as QOT) cannot be implemented with 
unconditional security by means of a quantum scheme: QBC is impossible | May97[ [LC97II . As such 



QOT cannot be instantiated from scratch. Nevertheless, the existence of a QOT scheme based on a 
(hypothetical) BC is still an interesting result, since in the non-quantum world, a BC alone does not 
allow to implement OT. 

Below, we describe Bennett et al. 's QOT scheme (with some minor modifications), which we denote 
as QOT. Actually, QOT corresponds to the randomized OT used within Bennett et aL's QOT scheme, 
where the messages mo and mi, called fco an d k\ in QOT, are not input by Alice (her input is empty: _L) 
but randomly produced during the course of the scheme and then output to Alice. The desired non- 
randomized OT is then obtained simply by one-time-pad encrypting Alice's input messages mo and m\ 
with the keys fco an d k\, respectively. Security of the non-randomized OT follows immediately from the 
security of the randomized OT by the properties of the one-time-pad. 

QOT is parametrized by parameters n,k,£ G N, where n is the number of qubits communicated, 
t the bit-length of the messages/keys k$,k\, and k is the size of the "test set" t, which we require 
to be at most n/2. QOT makes use of a universal hash function g : 1Z x {0, 1}" — > {0, l} e . For 
x' G {0, 1}™ with n! < n, we define g(r, x') as g(r, x) where x G {0, 1}" is obtained from x' by 
padding it with sufficiently many 0's. Furthermore, the scheme makes use of a BC, which we assume to 
be an ideal BC functionality. Alternatively, at the cost of losing unconditional security against dishonest 
Alice, we may use a BC implementation that is unconditionally binding and computationally hiding F^l 
Finally, for simplicity, we assume a noise-free quantum channel. For the more realistic setting of noisy 
quantum communication, an error-correcting code can be applied in a similar fashion as in the original 
scheme; this will not significantly affect our proof. In the upcoming protocol descriptions, we make 
use of our convention to speak about a basis 6 {or 6) in {0, 1}" when we actually mean H e {\0), |l)}® n 
(respectively H e {\0), |l)}® n ). Protocol QOT is shown below. 

Protocol Q0T(_L;c) 

1. (Preparation) Alice chooses x,8 G {0, l} n at random and sends the n qubits H e \x) to Bob. Bob 
selects 6 G {0, l} n at random and measures the received qubits in basis 6, obtaining x G {0, 1}". 

2. ( Commitment) Bob commits bit-wise to 9 and x . Alice samples a random subset t C [n] of 
cardinality k and asks Bob to open the commitments to 0i and Xj for all i G t. Alice verifies the 
openings and that x, = Xj whenever 9i = 9i, and she aborts in case of an inconsistency. 

3. (Set partitioning) Alice sends 6 to Bob. Bob partitions i into the subsets I c = {i G i : 9i = 9{\ 
and ii_ c = {i € t : 9i 9i} and sends Iq and I\ to Alice. 

4. (Key extraction) Alice chooses and sends to Bob a random r G 1Z, and computes k$ := g(r, xi ) 
and fci := g(r, xi x ). Bob computes k c = g(r,xj c ). 



"in case of an unconditiona lly hiding and computationally binding BC scheme, our techniques do not apply directly; how 
to handle this case is shown in |DFL + 09| . 

12 A protocol is an interactive algorithm between two (or in general more) entities, whereas a scheme in general may consist 
of several protocols (like for BC); since the cryptographic tasks considered in this article (QOT and QKD) ask for a single 
protocol, we use the terms protocol and scheme interchangeably. 
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It is trivial to see that for honest Alice and Bob: k c = k c . Furthermore, security against dishonest Alice, 
who is trying to learn information on c, is easy to see and not the issue here: in case of a perfect BC 
functionality, Alice learns no information on c no matter what she does; in case of a computationally 
hiding BC implementation, all information she obtains on c is "hidden within the commitments", and 
thus computational security follows from the computational hiding property. 

Proving security against dishonest Bob is much more subtle, and is the goal of this section. Clearly, 
//Bob indeed measures the qubits in the preparation phase with respect to some choice 0, then security is 
easy to see: no matter how he partitions i into Iq and I\, on at least one of xj and xj 1 he has some lower 
bounded uncertainty, and privacy amplification finishes the job. The intuition is now that the commitment 
phase forces Bob to essentially measure all qubits with respect to some choice 6, as otherwise he will 
get caught. However, proving this rigorously is non-trivial. 

5.2 The Security Proof 

For our proof of security against dishonest Bob, we first introduce a slightly modified version of the 
protocol, QOT*, given below. QOT* is only of proof-technical interest because it asks Alice to perform 
some actions that she could not do in practice. However, her actions are well-defined, and it follows 
from standard arguments that Bob's view of QOT is exactly the same as of QOT*. It thus suffices to prove 
security (against dishonest Bob) for QOT*. 

QOT* is obtained from QOT by means of the following two modifications. First, for every i G [n], 
instead of sending H di \xi), Alice prepares an EPRpair A^B^ of which she sends Bi to Bob and measures 
Ai, at some later point in the protocol, in basis 9i to obtain x,- L . By elementary properties of EPR pairs, and 
since actions on different subsystems commute, this does not affect Bob's view of the protocol. Second, 
Alice measures her qubits A t within the test subset t in Bob's basis t (rather than in 6 t ) to obtain x t , 
but she still only verifies correctness of Bob's x/s with % G t for which 9i = 9i. Note that by assumption 
on the BC, the string to which Bob can open his commitments is uniquely determined at this point, and 
thus Alice's action is well-defined, although not doable in real life. This modification only influences 
Alice's bits X{ for which i G t and §i / 9i, however, since these bits are not used in the protocol, it has 
no effect on Bob's view. 

Protocol Q0T*(_L;c) 

1. (Preparation) Alice prepares n EPR pairs of the form (|0)|0) + |l)|l))/\/2, and sends one qubit 
of each pair to Bob, who proceeds as in the original scheme QOT to obtain and x. Alice chooses 
a random G {0, l} n , but she does not measure her qubits yet. 

2. (Commitment) Bob commits to 6 and x, and Alice chooses a random subset t C [n] of cardinality 
k, as in QOT. Next, Alice measures her qubits that are indexed by t in Bob 's basis t to obtain cc t . 
Then, Alice sends t to Bob and they proceed as in QOT, meaning that Alice verifies that Xi = xi 
for i £ i only when 9^ = 9^. 

3. (Set partitioning) As in QOT. Additionally, Alice measures her qubits corresponding to Iq in basis 
0j to obtain xj and her qubits corresponding to I\ in basis 6j 1 to obtain x^ . 

4. (Key extraction) Exactly as in the original scheme QOT. 



Our proof for the security of QOT*, and thus of QOT, against dishonest Bob follows quite easily from 
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our treatment of sampling strategies from Section [4] The proof is given below, after the formal security 
statement in Theorem 01 We would like to point out that our security guarantee implies the security 
definition proposed and studied in HFS081 for (randomized) OT, which in particular implies sequential 
composability when used as a sub-routine in a classical outer protocol. 

Theorem 4 (Security of QOT). Consider an execution of QOT (respectively QOT*) between honest Alice 
and dishonest Bob. Let Kg and K\ be the keys in {0, 1}^ output by Alice. Then, there exists a bit c so 
that K\_ c is close to random-and-independent of Bob's view (given K c ) in that for any e, 5 > 0: 

&(p Kl - c K c E, 5?I ® PK c e) 

< I . 2-h{{i-%-H5))(n-k)-e) + ^6 exp (_ 5 2 A;/100 ) + 2exp (_ 2e 2( n _ fc)) t 

where E denotes the quantum state output by Bob, and I the identity operator on C . 

On a high level, the proof is as follows. Alice's checking procedure can be understood as applying a 
sampling strategy to the qubits she holds. From this we obtain that (except with a small error) the joint 
state she shares with Bob is a superposition of states with small relative Hamming weight within her 
subsystem A^. This implies that the joint state is a superposition of states with small relative Hamming 
weight also within At 1 _ c , where c G {0, 1} is chosen such that 9i ^ 9i for approximately half (or more) 
of the indices i in Ji_ c . It then follows from Corollary [Qthat £C/ 1 _ C , obtained by measuring Aj 1 _ c in 
basis 0i x _ c , has high min-entropy, so that privacy amplification concludes the proof. The formal proof, 
which takes care of the details and keeps track of the error term, is given below. 

Proof. We consider the state 

shared between Alice and Bob, after Bob has committed to 6 and x, but before Alice chooses the test 
subset t. | ifAEo ) is obtained from the n EPR-pairs by an arbitrary quantum operation (possibly involving 
measurements), applied only to Bob's part. Without loss of generality, we may assume that, given the 
commitments, the joint state is indeed pure. Furthermore, we consider the strings 6 and x, to which Bob 
has committed. By the unconditional binding property, these are uniquely determined. For concreteness, 
and in order to have the notation fit nicely with Section 01 we assume 9 = x = (0, . . . , 0) € {0, l} n ; 
however, by Remark[2j the very same reasoning works for any and x. 

The crucial observation now is that Alice's checking procedure within the commitment phase of 
QOT* can be understood as applying a sampling strategy to the state \ipAE a ) in order to test closeness 
of A to the all-zero state |0) • • • |0). Indeed, Alice chooses a random subset t C [n] of cardinality k, 
measures A t (in the computational basis) to obtain x t , and decides whether to accept or reject based on 
Xt\ specifically, she takes a random subset s C t, given by s = {i G t : 9i = 9i}, and accepts if and 
only x s = for all i € s. This is precisely the sampling strategy ^ studied in Example |U adapted to test 
closeness to |0) • • • |0) by accepting if and only if f(t, x t , s) = 0. Note that, by the random choices of 
the 9i's, s is indeed a random subset of t. 

Thus, we can conclude that at the end of the commitment phase, for any fixed 5 > 0, the joint 
state of AiE has collapsed to a state \ipAfEo) that is (on average over Alice's choice of t and s) £q Uant - 
close to being a superposition of states with relative Hamming weight at most 5 within Aj (or else Alice 
has aborted). We proceed by assuming that the state \ipA t E ) equals a superposition of states with small 
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relative Hamming weight, and we book-keep the error £q Uant lll Recall that by Theorem [3] and Example[4] 
(and its analysis in Appendix IA.4I ). 



4uant < < V6exp(-M 2 /100) . 

By the random choices of the fVs, it follows from Hoeffding's inequality (Theorem [B that the 
Hamming weight of #j is lower bounded by wt(0j) > (| — e)(n — k) except with probability at 
most 2exp(— 2e 2 (n — In the sequel, we assume that the bound holds, and we book-keep the 

error. It follows that regardless of how Bob divides t into Iq and I\, there exists c G {0, 1} such that 
wt(0/ 1 _ c ) > \{\ — e){n — k) (if Bob is honest, then c coincides with his input bit). 

By re-arranging Alice's qubits, we write the state \ipA f E ) as \'4 , a 1 - c A c e }> where ^4° := Aj Q and 
A 1 := Aj 1 . Since \ipA { E ) * s a superposition of states with Hamming weight at most (n — k)S within 
At, it is easy to see that \ipA 1 - c A c E ) * s a superposition of states with Hamming weight at most (n — k)S 
within A . Let the random variables X\^ c and X c describe the outcome of measuring A l ~ c and A c in 
bases 6i 1 _ c and 6j c , respectively, and let px 1 - c x c E a be the corresponding hybrid state. We may think 
°f px 1 - c x c E being obtained by first measuring A 1 ~ c , resulting in a hybrid state px^ a A c E a , and then 
measuring A c ; indeed, the order in which these measurements take place have no effect on the final state. 

We can now apply Corollary Q] to the hybrid state /)a"^ cj 4 c e„ obtained from measuring subsystem 
A 1_c within \iPa 1 - c A c e ) an d conclude that 

^ n {Xi-e\A c E ) ^wtCOO-h^logdli-cl) > (J-|-h(5))(n-fc). 

By a basic property of the min-entropy ("measuring only destroys information"), it follows that the 
same bound in particular holds for H m - m (Xi_ c \X c E a ). Applying privacy amplification (Theorem [2]), 
incorporating the error-probabilities (expressed in terms of trace distance) obtained along the proof, and 
noting that Bob's processing of his information to obtain his final quantum state E does not increase the 
trace-distance, concludes the proof. □ 

6 Application II: Quantum Key Distribution (QKD) 

In quantum key distribution (QKD), Alice and Bob want to agree on a secret key in the presence of an 
adversary Eve. Alice and Bob are assumed to be able to communicate over a quantum channel and over 
an authenticated classical channelfjf] Eve may eavesdrop the classical channel (but not insert or modify 
messages), and she has full control over the quantum channel. The first and still most prominent QKD 
scheme is the famous BB84 QKD scheme due to Bennett and Brassard IIBB841 . 

In this section, we show how our sampling-strategy framework leads to a simple security proof for 
the BB84 QKD scheme. Proving QKD schemes rigorously secure is a highly non-trivial task, and as 
such our new proof nicely demonstrates the power of the sampling-strategy framework. Furthermore, 
our new proof has some nice features. For instance, it allows us to explicitly state (a bound on) the error 

3 It now follows immediately from Corollary Q] that H m i n (XqX\ \E ) is "large", where Xo collects the bits obtained by 
measuring Ai in basis 8i a , and correspondingly for Xi. However, in the end we need that ]i m i n (Xi- c \X c E ) is "large" for 
some c, which does not follow from the former. Because of that, we need to make a small detour. 

14 Actually, for the one-sided bound, we could save the factor two in front of the exp. 

15 If the classical channel between Alice and Bob is not authentic, then authenticity of the communication can still be achieved 
by information-theoretic authentication techniques, at the cost of requiring Alice and Bob to initially share a short secret key. 
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probability of the QKD scheme for any given choices of the parameters. Additionally, our proof does not 
seem to take unnecessary detours or to make use of "loose bounds", and therefore we feel that the bound 
on the error probability we obtain is rather tight (although we have no formal argument to support this). 

Our proof strategy can also be applied to other QKD schemes that are based on the BB84 encoding. 
For example, Lo et al.'s QKD schemd^ BLCA051 can be proven secure by following exactly our proof, 
except that one needs to analyze a slightly different sampling strategy, namely the one from Example [6] 
On the other hand, it is yet unknown whether our framework can be used to prove e.g. the six-state QKD 
protocol MBru981 secure. 

Actually, the QKD scheme we analyze is the entanglement-based version of the BB84 scheme (as 
initially suggested by Ekert Eke911 ). However, it is very well known and not too hard to show that 
security of the entanglement-based version implies security of the original BB84 QKD scheme. 

The entanglement-based QKD scheme, QKD, is parametrized by the total number n of qubits sent in 
the protocol and the number k of qubits used to estimate the error rate of the quantum channel (where we 
require k < n/2). Additional parameters, which are determined during the course of the protocol, are 
the observed error rate (3 and the number t £ N U {0} of extracted key bits. QKD makes use of a universal 
hash function g : 1Z x {0, l} n_fc — > {fj, l} e and a linear binary error correcting code of length n — k 
that allows to correct up to a /3'-fraction of errors (except maybe with negligible probability) for some 
(3' > (3. The choice of how much j3' exceeds j3 is a trade-off between keeping the probability that Alice 
and Bob end up with different keys small and increasing the size of the extractable key. We will write m 
for the bit size of the syndrome of this error-correcting code. Protocol QKD can be found below. 

Protocol QKD 

1. (Qubit distribution) Alice prepares n EPR pairs of the form (|0)|0) + |l)|l))/\/2, and sends one 
qubit of each pair to Bob, who confirms the receipt of the qubits. Then, Alice picks random 
G {0, 1}™ and sends it to Bob, and Alice and Bob measure their respective qubits in basis 6 to 
obtain x on Alice's side respectively y on Bob's side. 

2. (Error estimation) Alice chooses a random subset s C [n] of size k and sends it to Bob. Then, 
Alice and Bob exchange x s and y s and compute (3 := lo(x s © y s ). 

3. (Error correction) Alice sends the syndrome syn of x s to Bob with respect to a suitable linear 
error correcting code (as described above). Bob uses syn to correct the errors in y s and obtains 
x s . Let m be the bit-size of syn. 

4. (Key distillation) Alice chooses a random seed r for a universal hash function g with range {0, 1} £ , 
where I satisfies I < (1 — h((3))n — k — m (or I = if the right-hand side is not positive), and 
sends it to Bob. Then, Alice and Bob compute k := g(r, x s ) and k := g(r, x s ), respectively. 



It is not hard to see that k = k except with negligible probability (in n). Furthermore, if no Eve 
interacts with the quantum communication in the qubit distribution phase then x = y in case of a noise- 
free quantum channel, or more generally, ui(x — y) « in case the quantum channel is noisy and 
introduces an error probability < <fi < i. It follows that (3 <fi, so that using an error correcting 
code that approaches the Shannon bound, Alice and Bob can extract close to (1 — 2h(^))(n — k) bits of 

l6 In this scheme, Alice and Bob bias the choice of the bases so that they measure a bigger fraction of the qubits in the same 
basis. 



18 



secret key, which is positive for <p smaller than approximately 11%. The difficult part is to prove security 
against an active adversary Eve. We first state the formal security claim. 

Note that we cannot expect that Eve has (nearly) no information on K, i.e. that A (pke, t^tIjc® Pe) 
is small, since the bit-length t of K is not fixed but depends on the course of the protocol, and Eve can 
influence and thus obtain information on I (and thus on K). Theorem [5j though guarantees that the 
bit-length I is the only information Eve learns on K, in other words, K is essentially random-and- 
independent of E when given I. 

Theorem 5 (Security of QKD). Consider an execution of QKD in the presence of an adversary Eve. Let 
K be the key obtained by Alice, and let E be Eve's quantum system at the end of the protocol. Let K be 
chosen uniformly at random of the same bit-length as K. Then, for any 5 with (3 + 5 < i: 

Hpke,Pke) < i-r^M)"-^) +2exp(-i^). 

From an application point of view, the following question is of interest. Given the parameters n and 
k, and given a course of the protocol with observed error rate f3 and where an error-correcting code 
with syndrome length m was used, what is the maximal size i of the extractable key K if we want 
^{Pke iPke) — e f° r a gi yeri e ? From the bound in Theorem [51 it follows that for every choice of 5 
(with p + 8 < §), one can easily compute a possible value for £ simply by solving for £. In order to 
compute the optimal value, one needs to maximize t over the choice of 5. 

The formal proof of Theorem |5J is given below. Informally, the argument goes as follows. The error 
estimation phase can be understood as applying a sampling strategy. From this, we can conclude that 
the state from which the raw key, x s , is obtained, is a superposition of states with bounded Hamming 
weight, so that Corollary [Qguarantees a certain amount of min-entropy within x s . Privacy amplification 
then finishes the proof. 

To indeed be able to model the error estimation procedure as a sampling strategy, we will need to 
consider a modified but equivalent way for Alice and Bob to jointly obtain x s and y s from the initial 
joint state, which will allow them to obtain the XOR-sum x s © y s , and thus to compute f3, before they 
measure the remaining part of the state, whose outcome then determines x s . This modification is based 
on the so-called CNOT operation, [7 C not> acting on C 2 ® C 2 , and its properties that 

U c » m {\b)\c)) = \b)\b®c) and U CN0T (H\b)H\c)) = H\b © c)H \c) , (2) 

where the first holds by definition of f/ CN oT> and the second is straightforward to verify. 

Proof. Throughout the proof, we use capital letters, 0, X etc. for the random variables representing 
the corresponding choices of 9, x etc. in protocol QKD. Let the state, shared by Alice, Bob and Eve right 
after the quantum communication in the qubit distribution phase, be denoted by | ^ab e ) llll without loss 
of generality, we may indeed assume the shared state to be pure. For every i G [n], Alice and Bob then 
measure the respective qubits Ai and Bi from \ipABE a ) m basis 0j, obtaining Xi and Y, L . This results 
in the hybrid state p&xye - For the proof, it will be convenient to introduce the additional random 
variables W = (W h . . . , W n ) and Z = (Z u . . . , Z n ), defined by 

Z i :=X i @Y i and W t := j ^ |f @J I J ■ < 3 ) 

17 Note that E represents Eve's quantum state just after the quantum communication stage, whereas E represents Eve's 
entire state of knowledge at the end of the protocol (i.e., the quantum information and all classical information gathered during 
execution of QKD). 
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Note that, when given 0, the random variables W and Z are uniquely determined by X and Y and vice 
versa, and thus we may equivalently analyze the hybrid state p@wzE a - 

For the analysis, we will consider a slightly different experiment for Alice and Bob to obtain the 
very same state p&wze ', the advantage of the modified experiment is that it can be understood as a 
sampling strategy. The modified experiment is as follows. First, the CNOT transformation is applied to 
every qubit pair A { Bi within | ipABE ) for i £ [n] , such that the state | (fABE ) = ( ^cnot ® Ie„ ) I ^abe ) 
is obtained. Next, is chosen at random as in the original scheme, and for every i G [n] the qubit 
pair AiBi of the transformed state is measured as in the original scheme depending on @f, however, 
if 0j = then the resulting bits are denoted by Wi and Zi, respectively, and if 0j = 1 then they are 
denoted by Zi and Wi, respectively, such that which bit is assigned to which variable depends on 0j. This 
is illustrated in Figure [TJ(left and middle), where light and dark colored ovals represent measurements in 
the computational and Hadamard basis, respectively. It now follows immediately from the properties (f2]) 
of the CNOT transformation and from the relation 0]) between X, Y and W, Z that the state p&wzE a 
(or, equivalently, p®xy E a ) obtained in this modified experiment is exactly the same as in the original. 
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Figure 1: Original and modified experiments for obtaining the same state p&wze - 



An additional modification we may do without influencing the final state is to delay some of the 
measurements: we assume that first the qubits are measured that lead to the ZiS, and only at some later 
point, namely after the error estimation phase, the qubits leading to the Wj's are measured (as illustrated 
in Figure [Q right). This can be done since the relative Hamming weight of X$ ® Ys for a random subset 
S C [n] (of size k) can be computed given Z alone. 

The crucial observation is now that this modified experiment can be viewed as a particular sampling 
strategy as a matter of fact as the sampling strategy discussed in Example |5l being applied to systems 
A and B of the state \^abe )- Indeed: first, a subset of the 2n qubit positions is selected according to 
some probability distribution, namely of each pair AiBi one qubit is selected at random (determined by 
0i). Then, the selected qubits are measured to obtain the bit string Z = (Z\, . . . , Z n ). And, finally, a 
value p is computed as a (randomized) function of Z: f5 = co(Zs) for a random S C [n] of size k. We 
point out that here the reference basis (as explained in Remark HJ is not the computational basis for all 
qubits, but is the Hadamard basis on the qubits in system A and the computational basis in system B; 
however, as discussed in Remark[2j we may still apply the results from Section|4](appropriately adapted). 

It thus follows that for any fixed 5 > 0, the remaining state, from which W is then obtained, is (on 
average over and S) £q Uant -close to a state which is (for any possible values for 0, Z and S) a super- 
position of states with relative Hamming weight in a 5-neighborhood of (3. Note that the latter has to be 
understood with respect to the fixed reference basis (i.e., the Hadamard basis on A and the computational 
basis on B). In the following, we assume that the remaining state equals such a superposition, but we 
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remember the error 

4uant<y4^<2exp(-i5 2 /c). 

where the bound on ef lass is derived in Appendix I A. 5 1 

Recall that W is now obtained by measuring the remaining qubits; however, the basis used is op- 
posite to the reference basis, namely the computational basis on the qubits A- t and the Hadamard basis 
on the qubits Bi. Hence, by Corollary Q] (and the subsequent discussion) we get a lower bound on the 
min-entropy of W: 

Yt min {W\®ZSE ) > (l-h(P + 8))n. 

Since W is uniquely determined by X (and vice versa) when given and Z, the same lower bound 
also holds for H m j n (X\&ZSE a ). Note that in QKD, the k qubit-pairs that are used for estimating j3 are 
not used anymore in the key distillation phase, so we are actually interested in the min-entropy of X§. 
Additionally, we should take into account that Alice sends an m-bit syndrome SYN during the error 
correction phase. Hence, by using the chain rule, we obtain 

R mhl {X s \@ZX s SYNE ) > (1 - h(/3 + 6))n -k- m@ 

Finally, we apply privacy amplification (Theorem HJ) which concludes the proof. □ 

7 Conclusion 

We have shown a framework for predicting some property (namely the approximate Hamming weight, 
appropriately defined) of a population of quantum states, by measuring a small sample subset. The 
framework allows for new and simple security proofs for important quantum cryptographic protocols: 
the Bennett et al. QOT and the BB84 QKD scheme. We find it particularly interesting that with our 
framework, the protocols for QOT and QKD can be proven secure by means of very similar techniques, 
even though they implement fundamentally different cryptographic primitives, and are intuitively secure 
due to very different reasons (namely in QOT the commitments force Bob to measure the communicated 
qubits, whereas in QKD Eve disturbs the communicated qubits when trying to observe them). 
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A Error Probabilities of the Example Sampling Strategies 
A.l Example 1 — Random sampling without replacement 

It follows immediately from Theorem Q] that the estimate is 5-close to the relative Hamming weight 
u(q) of q except with probability at most 2 exp(— 25 2 k). However, we want to analyze closeness of the 
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estimate to us(qf) (still treating T as a random variable). This can be derived easily as follows. We can 
write U)(q) = aoo(q T ) + (1 — a)ui(qf), where a := k/n, and thus can see that 

uj(q f ) - u(q T ) = y~ ~ auj (qr)) ~ ^(Qt) = Y~ ~ w (<?t)) 

so that 

4a SS = maxPr q $ B 6 T s = maxPr[|u;(q f ) - w(q T )\ > 5] 

q L J q 

= maxPr[|o;(q) - u)(q T )\ > (l-a)6] < 2 exp (-2(1- a) 2 5 2 k) . (4) 

Under assumption of k < n/2, we obtain a simple bound for the latter expression, 

4 ass < 2exp(-2(l-a) 2 <5 2 £ ; ) < 2e W (-±5 2 k) . (5) 
We obtain the following bound if we use the bound from HSer74B : 

4ass = maxPr[|w(g) - u(q T )\ > (l-a)5] 

- ZeX Pl n-k+1 )— zex P{ „( n _fc+l) ; ^ zex Pl n+2>- 

for k < n/2, because — 2 ^Zk+i) ^ s convex i n k, and — |^ is linear in k and equality holds at k = 
and k = n/2, hence it is a tight linear upper bound. 



A.2 Example 2 — Random sampling with replacement 

Computing the error probability for Example |2] actually turns out to be tricky. Although, as in Example 1 
above, Theorem [T] applies and guarantees that the estimate is likely to be close to u(q), showing that the 
estimate is likely to be close to co(qf) seems to be non-trivial here. Since we make no further use of this 
example sampling strategy, we refrain from analyzing its error probability. 



A.3 Example 3 — Uniformly random subset sampling 

Note that for any fixed choice k = \t\, t is obtained as in random sampling without replacement. Because 
t is sampled uniformly at random, the expectation of k is given by E[k] = n/2. Hence, by making use 
of Hoeffding's inequality, we can say that for < /3 < \, Pr [| | - \ \ > /3] < 2 exp(-2/3 2 n). 

Informally, the idea is to start off with an upper bound on £ S dSuSS obtained in Appendix IA.1I (the case 
of sampling without replacement), and transform it into an upper bound that holds under the assumption 
that fc € [(i — ff)n, (k + f3)n]. Note that we cannot use the simple bound © from Appendix |A. 1 1 
because that result was obtained under the assumption that k < n/2, and here this assumption does not 
hold. Instead, we use bound (O from Appendix I A. 1[ 

4ass<2ex P (-2(l-|)Vfc) (6) 

which does hold for all k G {0, . . . , n}. 

To get an upper bound for ©, we replace the first occurrence of k in that expression (in the numerator 
of the fraction) by an upper bound for k, and the second occurrence of A; by a lower bound for k. 
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The upper and lower bound for k are simply given by the (appropriate) boundary points of the interval 

[(I-/3)n,(± + /3)n].I.e., 

2exp ( - 2n5 2 {\ - ( ^ )n ) 2 (i - /3)) = 2exp ( - 2n5 2 (± - /3) 3 ) 

To compute 4ass> we use a union bound to combine the upper bound above, which holds under assump- 
tion that k lies inside the previously defined interval, with the upper bound on the probility that k does 
not lie in this interval, 

4 ass < 2exp (- 2n5 2 (± - /3) 3 ) + 2 exp(-2/3 2 n). 

Setting /3 = 5/4 in the expression above yields — n5 2 (2 — <5) 3 /32 for the exponent of the first summand, 
and —n5 2 /8 for the exponent of the second summand. Because < 5 < 1 (Definition [2), a suitable 
upper bound for both exponents is — n<5 2 / 320 This gives the following simpler bound, 

4 ass <4ex P (-n5 2 /32). 



A.4 Example 4 — Random sampling without replacement, using only part of the sample 

From Appendix lATTl we know that Pr [|q;(<7j0 — u)(q T )\ > £] < 2exp(— \^ 2 k), for k < n/2. Addition- 
ally, the selection of the seed s and the computation of f(t,q t ,s) can be viewed as applying uniformly 
random subset sampling to q t . Hence, it follows from Appendix I A. 3 1 that max q Pr — u(q s )\ > 

7] < 4exp(— /c7 2 /32). Setting 5 = £ + 7, and using triangle inequality and union bound, we obtain 

4ass = maxPr[|u;(Q s ) - u(q f )\ > 5] 

q 

< min s 2exp(-i£ 2 fc) +4exp(-k(5 - £) 2 /32) 

< 6exp(-M 2 /50), 

where the last inequality follows from setting £ = 5/5 such that the two exponents coincide. 



A.5 Example 5 — Pairwise one-out-of-two sampling, using only part of the sample 

For A = {0, 1}, a bound on the error probability 4 ass ^ s obtained as follows. Let q be arbitrary, indexed 
as discussed earlier. First, we show that u(qf) is likely to be close to u(q T ). For this, consider the 
pairs (qio, qn) for which 7^ qn. Let there be I such pairs (where obviously I < n.) We denote the 
restrictions of q T and qf to these indices i with q^ ^ qn by q T and qf , respectively. It is easy to see 
that wt(q^) + wt(q^) = t. It follows that for any e > we have 

Pr[|w(<jr<f ) — u(q T )\ > e] = Pr[|wt(qf T ) — wt(g^f)| > reel 

= Pr[|wt(q r ) - wt(q f )\ > ne] = Pr[|2wt(q T ) - l\ > ne] 
< 2exp (-2(§f) 2 /) =2exp(-^-f) <2exp(-i e 2 n) , 

19 Note that our goal is to find a short and simple expression, rather than finding the tightest bound. 
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where the third equality follows from replacing wt(gy) by I — wt(q T ), and the first inequality follows 
from Hoeffding's inequality (as each entry of wt(q T ) is with independent probability ^). 
Furthermore, for any 7 > we have the following relation involving q s : 

Pr[|w(g T ) - co(q s )\ > 7] < 2exp (-2/c 7 2 ) , 

which follows from directly applying Hoeffding's inequality. Applying the union bound and letting 
5 = e + 7, we obtain 

4ass = maxPrflwfar) " "(Qs)\ > &] < 2 min [e*P {~\e 2 n) + exp (-2k(5 - e) 2 )] 

Q e£(0,o) 

where the last line follows from choosing e such that the two exponents coincide, and from doing some 
simplifications while assuming k < n/2. 

A.6 Example 6 — Pairwise biased one-out-of-two sampling, using only part of the sample 

It will be convenient to define the index set t as the union of two subsets, to C [n] x {0} and ti C 
[n] X {1}. Note that the complements of these subsets should now be understood as to = (M x {0}) \ to 
and t\ = ([n] x {1}) \ t\. Let to and t\ be constructed as follows. We first sample a set t C [n]; for each 
element of [n], we include it in t with probability p. Then, to := t x {0} and t\ := ([n] \ t ) x {1}. Like 
t, the seed s is also denned as the union of two randomly chosen sets, s = so U si, where so C to and 
s\ C ti@ These sets have fixed size; for a parameter k G N, |so| = \ and |si| = |. Now, the estimate 
forw(g f ) is computed as f(t,q t ,s) = ±(|t | w(q so ) + |ti| w(g si )). 

We need to show that u)(qf) is likely to be close to u(q s ). Because we compute an estimate for 
oj{qf) as a function of Lo(q So ) and uj(q Sl ), we will first show that (with high probability) Lo(q To ) w 
Lo(q So ) and u(q Ti ) a;(g Sl ). Then, we argue that w(g^ o ) « w(g To ) and ^(g^) « Lo(q Ti ), from 
which we can also conclude (using the union bound) that uj(qf ) « u(q So ) and ^(g^) « w(g Sl ). 
Finally, we apply the union bound again and combine the two bounds to obtain an upper bound for 
Pr[M*r) " ~(|7o| u;(q 5o ) + 1^1 > <J] . 

The first step in the proof follows directly from Hoeffding's inequality, 

Pr[|w(g To ) -u(q So )\ > 7] < 2 exp (-2|S |7 2 ) = 2 exp(-A;7 2 ) , for any 7 > 0. 

Trivially, this bound also applies to the relation between uj{q Tl ) and u{q s ), if we substitute appropri- 
ately. The second step, showing that uj{Tq) (respectively u>(T\)) is likely to be close to uj{Tq) (resp. 
u(T\)), is slightly more involved. Namely, although the sum of the sizes of To and T\ is constant (to 
be precise, |To| + |Ti| = n), their individual sizes ai - e random. In Example [3] (see also Appendix IA.3I ). 
we have already encountered a similar, though not identical, situation, i.e., Example [3] considers uni- 
formly random one-out-of-two sampling whereas here we analyze one-out-of-two sampling according 
to a Bernoulli (p, l—p) distribution. Nonetheless, it is straightforward to generalize the proof of Ap- 
pendix \A3\ to this (more general) case. 

Let X := \Tq\. The expectation of X is given by E[X] = np. Let £ be the event that X £ 
[(p — /3)n, (p + /3)n], for j3 > 0. From Hoeffding's inequality, we known that Pr[<5] = Pr[|^ — p\ > 

20 Again, RemarkfTJapplies. 
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(3] < 2exp(-2/3 2 n). Like in Appendix [O we find an upper bound that holds conditioned on the event 
£ , by substituting the boundary points of the interval used to define £ in ©, 



Next, we apply the union bound to show that for < e < 7 

Pr [\co(q fo ) - Lj(q So )\ > 7 | S] < 2exp(-2ne 2 (l - p - (3) 2 (p - /?)) + 2exp (-fc( 7 - e) 2 ) 

By substituting p by 1 — p in the expression above, we also obtain 

PrflwfarJ - u(q Sl )\ > 7 I £) < 2exp(-2ne 2 (p - /3) 2 (1 -p - $)) + 2exp (-fc( 7 - e) 2 ) 

Finally, we combine the two bounds and we get rid of the conditioning on £ by adding Pr[£]. For any 
5 > and < e < 5, we may write 

ef lass = maxPrfm^ ) - i(|T | ^(q 5o ) + > <5] 

= maxPr[|wt(q f ) - |T | w(g 5o ) + |Ti| w(g Sl )| > nd) 
= maxPr[|wt(g f ) - \T \ u(q So ) + \Ti\ u(q Sl )\ > (\T \6 + \Tt\6)] 

< maxPr[|w(g fo ) - u(q So )\ > S] + Pr [\u(q Tl ) ~ > £] 

< 2exp(-2ne 2 (l - p-,S) 2 (p-/3)) + 2 exp(-2ne 2 (p - /3) 2 (1 - p - /3)) + .. . 
+ 4 exp (-Jfe(5 - e) 2 ) + 2 exp(-2/3 2 n) 

B Proof of Lemma Q] 

Proof. We will show that |J|p5?j| > /?w/_e> to be understood in that | J\p^% — Pwe is positive semi- 
definite. With this shown, it then follows that for any density matrix o~e and for any non-negative fteE 

2 -(h-log|./|) . % ^ aE _ > 2 -ft| j| . % CT£ _ I j^mix = |j| (g-fc . Iw(g)aE _ p mix ) 

so that if the right-hand side is positive semi-definite then so is the left-hand side. The claimed bound 
H m in {pwe\E) > H m j n (p^} E \E) — log \ J\ then follows by the definition of the min-entropy. 
Writing out the measurements explicitly yields 

Pwe = X W )H ®^e)\<Pae){vae\(\w)(w\ ®Ie) = X si aiaj\w)(w\i}(j\w}(w\ ® 




2exp(-2ra5 2 (l - p- /3) 2 (p-/3)). 



and 



p$i = EN 2 E IH*>l>>H®I^X^ 



ieJ new 
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We want to show that (£\(\J\p$* - p WE )\£,) > for all |£) G U w ®U E . We first consider |£) of the 
special form |£) = \v)\ipE) with »eW, and compute/bound (C\pwe\0 and as 

(£\pwe\0 = ^2 at i a j (v\i}(j\v}(il>E\cPE)( ( PE\' l (>E 

|„ .2 

= | 2^ t a i (v\i)(ij)E\'PE) , 

and 

(«1;I0 = E^| 2 |^)| 2 K^I^>| 2 > 
ieJ 

where the inequality follows from Cauchy-Schwarz inequality. The claim, (£|(| J\p\y E ~ Pwe)\0 > 0, 
for an arbitrary |£) = J2 w ew P-wI^I^e) g ® ^£ now follows by linearity, and by noting that 
(v , iPe\pwe\v' , il>' E ) = = (f, iPe\Pwe\ v ' i ^e) f° r a H distinct v,v' G W, so that all "cross-products" 
vanish. 

□ 

C The Tightness of Theorem 1 

We show here that in general the inequality from Theorem [3] is tight. Specifically, we specify a natural 
class of sampling strategies for which Theorem [3] is an equality. Informally, this class consists of sam- 
pling strategies that behave in exactly the same way if the randomized choices T and S are replaced by 
fixed choices t and s , and instead the coordinates of q are shuffled by means of a uniformly random 
permutation (chosen from a subgroup of all permutations). The formal definition is given below, but let 
us point out already here that Example [Das well as the QKD sampling strategy discussed in Example [5] 
belong to this class. Indeed, for Example [TJ instead of choosing a random subset T of size k one can 
equivalently choose a fixed subset and randomly permute the positions of q. And, similarly for Exam- 
ple |5] instead of choosing left or right from each pair (qio, qn) at random and then choosing a random 
subset of size k of the selected qi/s, one can equivalently fix these choices and swap each pair (qio, qn) 
with probability ^ and apply a random permutation to the first index. 

Let S n denote the symmetric group of degree n, i.e. the group of permutations on [n]. For any tt G S n 
and q = (qi, . . . , q n ) G A n , we write 7rq to express that tt permutes the positions of the elements of q, 
i.e., ixq = . . . , q n -i( n ))- If V is a set of strings q G A n , then ttV means that the permutation tt 

acts element-wise on V. 

Definition 5 (G-Symmetry of a sampling strategy). Let ^ be a sampling strategy, let G be a subgroup 
of S n , where n is the size of the population to which ^> is applied, and let U be a random permutation, 
uniformly distributed over G. We call ^ G-symmetric, if there exist t Q C [n] and s G S such that 

(cj(q t )J(T,q T ,S)) ~ (cj((Uq)tJJ(t ,(Uq) to ,s )) 

where "~" means that the pairs have the same probability distribution. 



^2an(v\i){il>E\<PE) 



^2,otj(3\v)(ifP E \il)E) 

3&J 



ai(v\i)(ip E \<PE) 



tj-A£\pwe\Q, 
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A direct consequence of this definition is the following relation, which we will apply later in this section. 

B 5 t,s = {0, l} n : K<Zt) " f(T, q T , S)\ < 5} 

~ {q G {0, 1}" : M(nq) fo ) - /(t D , (Hg) to , « )| < 6} = U~ l B^ oSo . 

We can now rephrase Proposition Q] and prove it. 

Proposition 1 (Rephrased). For any G-symmetric sampling strategy \Pg OT arcc? any 5 > 0: 



, 2 



Proof. We need to show that there exists a system E 1 and a state |v?a,e) such that A (ptsae, PtsaeY 
e ciass f° r Ptsae that minimizes the left hand side. As pointed out after the proof of Theorem [3j the 
particular construction of ptsae used in the proof of Theorem [3] does minimize A^ptsae, Ptsae)- 
Hence, it suffices to show that there exists a system E and a state \<pae) (that depends on G) such that 



\( ~ ^ (7) 

A (Ptsae j Ptsae ) = 



Y,PT S {t,s)\^ AE \^)\ 



t.s 
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where ptsae and are constructed as in the proof of Theorem [3] The derivation of equality © 

can be found in the proof of Theorem [3] The outline of the remaining part of the proof is as follows; we 
first present a candidate for \<pae) and then we show that equalities © and (© do indeed hold for this 
state. 

We choose E to be empty. Furthermore, we define 

V l G l ttGG 

where q* is such that Pv[q* £ B T s ] = efiass- ^ follows from the projection construction for ptsae that 

where H t)S C G, i.e. H %s := {vr G G : vrg* £ B£ s }. 

To prove equality ([8]), we need to show that the inner product | {^Pae\'Pae)\ * s independent of t and 
s. Because \<£ae) is a uniform superposition over permutations of q* and I^as) i s a renormalized 
projection of \<pae), we can easily compute this inner product, K^aeI^ae)! = \Ht,s\/ \/\G\ ■ \Ht, s \ = 
\/|fl^7|/|G|. It suffices to show that \Ht >s \ is independent of (t,s). It follows from the G-symmetry 
that there exists a ir such that Bf s = irBf o . Furthermore, let II be a random permutation, uniformly 
distributed over G. By definition of H t . s and because IT is uniformly distributed over G, we may write 

\H t>s \ = \G\ ■ Pv[Uq* £ Bfj = \G\ ■ Pr[q* £ irVi^J = \G\ ■ Pr[q* £ IT 1 ^], (10) 

where the last expression is clearly independent of (t, s). 

Now, let us focus on equality (©. We derived in the proof of Theorem[3]that ^ Prs{t, s) \(<pae\ < Pae)\ 2 
-Pq(q) Pr [q £ B T s ] , where the random variable Q is obtained by measuring subsystem A of \<pae)- 
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By definition of \<£ae), Pq{q) > only for q of the form irq* for some it G G. Hence, to prove equality 
we have to show that for any tt G G, Pr[7rq* ^ B^ g] — ^ciass" This follows directly from the 
G-symmetry, 

Pr[vrg* ^B S T>S } = Pr[7rg* £irX,J = Pr:[q* ^U^B^J = Prfo* ^IT 1 !^] = Pv[q^B s TtS ] 

(11) 

Finally, note that (fTOl t and (fTTT t rely on the group structure of G. □ 
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